Twitter worm was unleashed by 17-year-old Australian

Wednesday 22 September 2010 09.22 EDT
First published on Wednesday 22 September 2010 09.22 EDT

Yesterday's Twitter-worm fest was kicked off by a 17-year-old Australian called Pearce Delphin, according to AFP.

The teenager had identified the flaw of allowing javascript code to appear in tweets. He posted some code, which was then picked up by hackers and diverted into more malicious ends, including various garbled window messages and a diversion to a Japanese porn site. The virus spread easily because rather than activating by clicking, users only needed to hover over a link to trigger an action.

"I did it merely to see if it could be done … that JavaScript really could be executed within a tweet," Delphin told AFP. "At the time of posting the tweet, I had no idea it was going to take off how it did. I just hadn't even considered it."

Twitter was in chaos for about five hours before the bug was fixed. The New York Times reported Twitter had known about the problem in August and had fixed it, though an update not related to last week's redesign had revived the problem.

Twitter explained: "Early this morning, a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an 'onMouseOver' flaw – the exploit occurred when someone moused over a link.

"Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge."

White House press secretary Robert Gibbs and Sarah Brown, wife of former PM Gordon, were among those affected. Delphin also pointed out that, if they could meet the 140-character challenge, hackers could have used the flaw to extract password information.

"I discovered a vulnerability, I didn't create a self-replicating worm. As far as I know, that isn't technically illegal," he said. "Hopefully I won't get in trouble!"

I think he's safe. Though he might just have helped his future employment prospects.

Update: The worm plot thickens. Given the chain of developments, how much did Delphin really discover? Masato Kinugawa used his original discovery to create rainbow tweets, but also notified Twitter. Delphin used the same flaw to generate popup windows. But it was Magnus Holm who tweaked the Javascript to update and automatically tweet from users' accounts, and the more malevolent hacks degenerated from there. Delphin may have spread the word about the flaw, but it's questionable whether he was the first to discover it.